The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

authnrequest invalid signature

i receive a 'invalid signature' from the IDP (</samlp:StatusCode>), what causes this message to appear? what part of the authnrequest should be signed? and how does the idp validate it? i dont understand how it is possible that the element with the signature is within the element that needs to be signed (root?) (if that is the case)

  1. The AuthnRequest doesn't have to be signed unless the IdP requires it or the SP tells the IdP that it will always sign the request.
  2. The entire message should be signed (see the RequestAbstractType in the Core specification for a description of the signature element and Section 5 in the Core specification for a description of using Signatures).
  3. The IdP applies standard XML signature validation processes to validate the signature itself and then applies its own internal policies on the acceptability of the key used in the signature.
  4. XML Signature allows for a signature to be encapsulated in the element being signed.  The signature does not apply to the signature itself.  Review section 5 of the core specification as well as the XML Signature specs for more details.  XML Signature libraries typically understand this type of enveloped signature. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I